Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL fines Yahoo €10M for unlawful use of cookies

On January 18, 2024, the French data protection authority (CNIL) published Decision No. SAN-2023-024, as issued on December 29, 2023, in which it imposed a fine of €10 million on Yahoo EMEA Limited (Yahoo), for violation of Act No.78-17 of January 6, 1978, on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act), following individual complaints.

Background to the decision

Firstly, CNIL clarified that Yahoo, was created following the acquisition of Verizon Media by Apollo Global Management. Further, CNIL outlined that it has territorial jurisdiction since the processing consists of operations affecting users residing in France during the use of yahoo.com and Yahoo mail, which is carried out within the context of Yahoo France.

CNIL noted that the complaints received concerned the inability to refuse cookies when using 'yahoo.com' and the email service 'Yahoo mail.'

Findings of CNIL

Following its investigation, CNIL found that when a user visited yahoo.com, at least 20 cookies were placed on the user's device, without the user having provided any consent to the deposition of such cookies. More specifically, CNIL noted that although a manage settings option was presented on yahoo.com, 26 cookies were deposited on user devices, including some with advertising purposes, without having selected and consented to such cookies. Similarly, CNIL detailed that when navigating to yahoo.com to create an email account on Yahoo mail, advertising cookies were also deposited without the user having consented to such cookies.

In addition, regarding Yahoo mail, CNIL stipulated that when attempting to withdraw consent to the deposition of cookies, messages were displayed that encouraged users not to withdraw their consent, subject to users losing access to Yahoo mail. CNIL reminded that consent is not considered to have been freely given if the persons concerned do not have genuine freedom of choice or are not able to refuse or withdraw consent without suffering harm. Under such conditions, CNIL considered that the withdrawal of consent could not be exercised freely, since an email address constitutes an element of the private life of a user. CNIL specified that users may find themselves captive to a particular messaging service, and therefore cannot easily replace the email service with another similar service.

Finally, CNIL considered the large number of people affected, numbering approximately 5 million unique visitors to yahoo.com.

Therefore CNIL found Yahoo to have violated Article 82 of the Act.

Outcomes

In light of the above, CNIL imposed a fine of €10 million on Yahoo.

You can read the press release here and the decision here, both only available in French.

Feedback